Objective

To assess the extent of implementation of the two recommendations included in our initial audit report, Compliance With Requirements to Maintain Systems at Vendor-Supported Levels (Report 2019-S-6).

About the Program

The Rochester-Genesee Regional Transportation Authority (RGRTA) is a regional transportation authority established by New York State to provide safe, reliable, and convenient public transportation to customers in eight counties (Monroe, Genesee, Livingston, Ontario, Orleans, Seneca, Wayne, and Wyoming). RGRTA has more than 900 employees, including an information technology (IT) department that operates out of its main office. RGRTA owns IT resources, including approximately 525 desktops/workstations and 164 servers that support 57 databases used to help carry out its mission.

As a public benefit corporation, RGRTA must adhere to the New York State Information Technology Security Policy (Policy) established by the Office of Information Technology Services. The Policy defines the minimum information security requirements that all State entities (including all public benefit corporations) must follow to secure and protect the confidentiality, integrity, and availability of information. This includes requirements for ensuring systems are up to date and maintained at vendor-supported levels (i.e., systems continue to be updated and patched by the system’s vendor).

Our initial report, covering the period January 1, 2019 through April 3, 2019, examined whether RGRTA was complying with requirements to maintain its systems at vendor-supported levels. We evaluated selected systems and determined that, generally, RGRTA maintained its systems at vendor-supported levels. However, we did identify unsupported systems used by RGRTA on 14 devices. We also found that RGRTA officials had not developed policies and procedures to ensure that its systems were regularly reviewed and kept up to date. Generally, RGRTA officials agreed with our recommendations and indicated they would take actions to implement them.

The objective of our follow-up was to assess the extent of implementation, as of October 29, 2020, of the two recommendations included in our initial audit report.

Key Finding

RGRTA officials have made significant progress in addressing the problems we identified in the initial audit report. Both recommendations have been implemented.